[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: [Oisf-users] FW: Warning in AF-Packet IPS Mode
From: Leonard Jacobs <ljacobs () netsecuris ! com>
Date: 2013-03-27 11:17:38
Message-ID: f2fcedb5-636a-4494-8126-5d1a1faa10eb () netsecuris ! com
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (multipart/alternative)]
From: Leonard Jacobs [mailto:ljacobs@netsecuris.com]
Sent: Wednesday, March 27, 2013 6:17 AM
To: 'Eric Leblond'
Cc: 'oisf-team@openinfosecfoundation.org'
Subject: RE: Warning in AF-Packet IPS Mode
Thanks. So would more threads set in AF-Packet help with this too.
I only have one thread set on each interface in af-packet configuration within \
suricata.yaml. I notice when Suricata initializes that it says something like either \
14 or 18 processing threads initialize and 3 management threads. Something like \
this. Is it specifying af-packet processing or just Suricata packet processing. I \
am using a quad-core i7 processor,which has 8 threads in it.
From: Eric Leblond [mailto:eric.leblond@gmail.com]
Sent: Wednesday, March 27, 2013 2:59 AM
To: Leonard Jacobs
Subject: Re: Warning in AF-Packet IPS Mode
Hi,
A packet can't be send on an interface because it is too long.
Is defrag set to yes in af-packet configuration ? If yes, can you try with no ?
BR,
On Wed, Mar 27, 2013 at 1:57 AM, Leonard Jacobs <ljacobs@netsecuris.com> wrote:
What do the following warnings mean?
<Warning> - [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 8: \
Message too long
<Warning> - [ERRCODE: SC_ERR_INVALID_ACTION(142)] - Unable to release packet data
I am using 1 thread in AF-Packet. My kernel is 3.2.0-23-generic.
Leonard Jacobs
President/CEO
Netsecuris Inc.
9301 Bryant Avenue S
Suite 104
Minneapolis, MN 55420
(952) 641-1421 ext. 20
http://www.netsecuris.com
--
Eric Leblond : eric.leblond@gmail.com
Blog: http://home.regit.org | Portfolio: http://regit.500px.com/
[Attachment #7 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" \
CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 \
(filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);} o\:* \
{behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div \
style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p \
class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Leonard Jacobs \
[mailto:ljacobs@netsecuris.com] <br><b>Sent:</b> Wednesday, March 27, 2013 6:17 \
AM<br><b>To:</b> 'Eric Leblond'<br><b>Cc:</b> \
'oisf-team@openinfosecfoundation.org'<br><b>Subject:</b> RE: Warning in AF-Packet IPS \
Mode<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks. \
So would more threads set in AF-Packet help with this \
too.<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I only have \
one thread set on each interface in af-packet configuration within \
suricata.yaml. I notice when Suricata initializes that it says something like \
either 14 or 18 processing threads initialize and 3 management threads. \
Something like this. Is it specifying af-packet processing or just Suricata \
packet processing. I am using a quad-core i7 processor,which has 8 threads in \
it.<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p \
class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Eric Leblond [<a \
href="mailto:eric.leblond@gmail.com">mailto:eric.leblond@gmail.com</a>] \
<br><b>Sent:</b> Wednesday, March 27, 2013 2:59 AM<br><b>To:</b> Leonard \
Jacobs<br><b>Subject:</b> Re: Warning in AF-Packet IPS Mode<o:p></o:p></span></p><p \
class=MsoNormal><o:p> </o:p></p><div><div><p \
class=MsoNormal>Hi,<o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>A packet can't be \
send on an interface because it is too long. <o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Is defrag set to yes in \
af-packet configuration ? If yes, can you try with no ?<o:p></o:p></p><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p \
class=MsoNormal>BR,<o:p></o:p></p></div></div><div><p class=MsoNormal \
style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Mar \
27, 2013 at 1:57 AM, Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com" \
target="_blank">ljacobs@netsecuris.com</a>> wrote:<o:p></o:p></p><div><div><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>What do \
the following warnings mean?<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><Warning> \
- [ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 8: Message too \
long<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><Warning> \
- [ERRCODE: SC_ERR_INVALID_ACTION(142)] - Unable to release packet \
data<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I am using \
1 thread in AF-Packet. My kernel is 3.2.0-23-generic.<o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'>Leonard Jacobs</span><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'>President/CEO</span><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'>Netsecuris Inc.</span><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'>9301 Bryant Avenue S</span><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'>Suite 104</span><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'>Minneapolis, MN \
55420</span><o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'>(952) 641-1421 ext. \
20</span><o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'><a href="http://www.netsecuris.com" \
target="_blank">http://www.netsecuris.com</a></span><o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'><img border=0 width=288 height=96 \
id="_x0000_i1025" src="cid:image001.jpg@01CE2AB2.ABBF0150" \
alt="logo_tagline3x1"></span><o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div><p \
class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p \
class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <br>Eric Leblond : \
<a href="mailto:eric.leblond@gmail.com" \
target="_blank">eric.leblond@gmail.com</a><br>Blog: <a href="http://home.regit.org" \
target="_blank">http://home.regit.org</a> | Portfolio: <a \
href="http://regit.500px.com/" target="_blank">http://regit.500px.com/</a> \
<o:p></o:p></p></div></div></body></html>
["image001.jpg" (image/jpeg)]
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic